Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow everyone to use SFTP and restrict SSH port forwarding #6059

Closed
stephdl opened this issue Feb 11, 2020 · 8 comments
Closed

Allow everyone to use SFTP and restrict SSH port forwarding #6059

stephdl opened this issue Feb 11, 2020 · 8 comments
Labels
verified All test cases were verified successfully
Projects
NethServer 7

Comments

@stephdl
Copy link

stephdl commented Feb 11, 2020
edited

With the new policy we allow a group to OpenSSH, and we decide who is able to use either SSH and SFTP or only SFTP, It could be interesting to delegate a group matching everybody on the server. This will ease the authorization process if we want to delegate all users of the account provider.

From a security perspective, we could restrict also the TCP Forwarding for the sftp users, This is a hole in the security

Proposed solution

Disables all forwarding features, including X11, ssh-agent, TCP and Stream Local by adding the directive DisableForwarding

Match by the API the domain users@domain.com for AD or the locals@nethservertest.org for openldap and allow to use it inside the group dropdown

thank @DavidePrincipi
@stephdl stephdl self-assigned this Feb 11, 2020
@DavidePrincipi DavidePrincipi added this to ⚙ Developing in NethServer 7 Feb 11, 2020
@stephdl stephdl mentioned this issue Feb 11, 2020
Closed
@DavidePrincipi DavidePrincipi mentioned this issue Feb 12, 2020
Merged
@stephdl stephdl mentioned this issue Feb 13, 2020
Merged
@DavidePrincipi DavidePrincipi changed the title OpenSSH: Allow everyone to use SFTP and restrict TCPForwarding Allow everyone to use SFTP and restrict SSH port forwarding Feb 25, 2020
stephdl added a commit to NethServer/nethserver-openssh that referenced this issue Feb 25, 2020
@stephdl
Merge pull request #9 from stephdl/GH6058
496bfb1 
Fix SSH login failure with conflicting group permissions  NethServer/dev#6058
Allow everyone to use SFTP and restrict SSH port forwarding NethServer/dev#6059
stephdl added a commit to NethServer/nethserver-cockpit that referenced this issue Feb 25, 2020
@stephdl
Merge pull request #220 from stephdl/GH6059Everyone
1cbe917 
UI allow Everyone to SSH NethServer/dev#6059
@nethbot
Copy link
Member

nethbot commented Feb 25, 2020

in 7.7.1908/testing:

@nethbot
Copy link
Member

nethbot commented Feb 25, 2020

in 7.7.1908/testing:

@stephdl
Copy link
Author

stephdl commented Feb 25, 2020

QA

Install nethserver-cockpit and nethserver-openssh from testing
install openldap or dc to have some groups/users
set to enabled $sssd{'ShellOverrideStatus'}

then you will see a new Everyone widget to delegate the access, to ssh and/or sftp.

You need to demonstrate that if Everyone is granted to ssh and/or sftp, a user can access even if its group is not listed, if Everyone is no access this user cannot connect anymore

@stephdl stephdl removed their assignment Feb 25, 2020
@stephdl stephdl added the testing Packages are available from testing repositories label Feb 25, 2020
@stephdl
Copy link
Author

stephdl commented Feb 26, 2020
edited by DavidePrincipi

  • remember translation

@DavidePrincipi DavidePrincipi self-assigned this Feb 27, 2020
DavidePrincipi added a commit to NethServer/nethserver-cockpit that referenced this issue Feb 27, 2020
@DavidePrincipi
Fix SSH/SFTP docinfo labels
7faeffd 
NethServer/dev#6059
@DavidePrincipi
Copy link
Member

VERIFIED

ok - ssh

ok - sftp-only, no port forwarding:

$ ssh -L 20980:localhost:980 second.user@192.168.122.5
second.user@192.168.122.5's password: 
This service allows sftp connections only.
Connection to 192.168.122.5 closed.
$ ssh -N -L 20980:localhost:980 second.user@192.168.122.5
second.user@192.168.122.5's password: 
channel 2: open failed: administratively prohibited: open failed
  • Amended docinfo labels
  • Pushed translations to Transifex

@nethbot
Copy link
Member

nethbot commented Feb 27, 2020

in 7.7.1908/testing:

@DavidePrincipi DavidePrincipi removed their assignment Feb 27, 2020
@DavidePrincipi DavidePrincipi added verified All test cases were verified successfully and removed testing Packages are available from testing repositories labels Feb 27, 2020
@nethbot
Copy link
Member

nethbot commented Feb 27, 2020

in 7.7.1908/updates:

@nethbot
Copy link
Member

nethbot commented Feb 27, 2020

in 7.7.1908/updates:

NethServer 7 automation moved this from ⚙ Developing to 🗑 Done Feb 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
verified All test cases were verified successfully
Projects
No open projects
NethServer 7
🗑 Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@DavidePrincipi @stephdl @nethbot